Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Covert Data Channel in TLS Dodges Network Perimeter Protection

Researchers have found a new covert data exchange technique that abuses the TLS protocol that can circumvent traditional network perimeter protections.

Researchers have released a proof-of-concept framework for a new covert channel for data exchange using the Transport Layer Security (TLS) protocol. The method exploits the public key certificate standard X.509 and could allow for post-intrusion C2 communication and data exfiltration to go unnoticed despite network perimeter protections.

According to Fidelis researchers, the covert data exchange takes advantage of the TLS handshake when certificates are exchanged. The technique doesn’t require – or ever establish – a TLS session. The covert data exchange takes place as the clients are negotiating the handshake using the TLS X.509 extension.

“Data transferred via X.509 extensions may bypass detection methods that do not inspect certificate values,” according to a technical explanation of a proof-of-concept published Monday.

“This would enable someone who already has persistence inside of a network to get past the perimeter defenses and perform a data exchange,” said Chad Robertson, director of threat research at Fidelis in an interview. “It’s a unique and novel method of covert data exchange and would have to be specifically looked for at the perimeter by a device that was inspecting certificates or anomalies in order to see the data embedded inside certificates.”

The attack is similar to data cloaking techniques such as DNS tunneling that takes advantage of the TXT transport layer within the DNS protocol used by top and second level domain name system servers.

Fidelis said that in the case of abusing the X.509 extension, an adversary could “place arbitrary binary data into the certificate or utilizing them as a covert channel,” researchers said.

“[The] TLS X.509 certificates have many fields where strings can be stored… The fields include version, serial number, issuer name, validity period and so on. The certificate abuse described in our research takes advantage of this fact to hide data transfer inside one of these fields. Since the certificate exchange happens before the TLS session is established, there appears to never be data transfer, when in reality the data was transferred within the certificate exchange itself.”

Initial research into this covert data exchange was outlined at the infosec conference BSides in Kansas City, MO in July. “Since then, we have done additional research to the point where we can demonstrate embedding Mimikatz into this field in the certificate exchange during the TLS negotiations,” Robertson said.

On Monday, Fidelis released a proof-of-concept attack, hosted on GitHub, that includes the framework for exchanging the data. It compliments additional research released in January discussing TLS abuse (PDF) released by Fidelis.

According to Fidelis, they were able to store 60 kilobytes of data in each TLS X.509 exchange. “You could establish this channel and perform rapid certificate negotiations enabling the data transfer of large amounts of data,” Robertson said.

This is a red herring and this is a poor attempt by Fedelis to gain some press coverage. In order for this "attack" to occur:
1. A PKI CA key or enrollment process must be compromised - Any well run PKI will protect against this. The enrollment should limit extensions and reject any enrollment. Even Subject Alt names should be validated to be existing devices within owned domains.
2. An external facing web server within the company must be compromised in order to swap the SSL certificate that will "respond" with covert data in its compromised extensions. - Again any well run company has established hardened networks for externally facing devices and this is not a simple.
Once BOTH of these things have been completed THEN the "attack" mention can happen, but if either #1 or #2 has already occurred there is much more damage that can be done without the need of using this "covert" channel.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.